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In re application of: 
McArdle et al. 
Application No. 09/803,527 
Filed: 03/08/2001 

For: AUTOMATICALLY CONFIGURING 
A COMPUTER FIREWALL BASED ON 
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Group Art Utut; 2145 
Examiner Choudhury, Azizul Q. 
Date: December 15, 2006 



Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

ATTENTION: Board of Patent Appeals and Interferences 

APPEAL BRIEF (37 C.F.R- § 41.37) 

This brief is in furtherance of the Notice of Appeal, filed in this case on May 31, 2006, and the 
Notice of Panel Decision from Pre- Appeal Brief Review mailed August 1 5, 2006. 

The fees required under § 1.17, and any required petition for extension of time for filing this brief 
and fees therefor, are dealt with in the accompanying TRANSMITTAL OF APPEAL BRIEF. 

This brief contains these items under the following headings, and in the order set forth below (37 
C.F.R. § 41.37(c)(i)): 



I REAL PARTY IN INTEREST 

n RELATED APPEALS AND INTERPERENCES 

m STATUS OF CLAIMS 

rv STATUS OF AMENDMENTS 

V SUMMARY OF CLAIMED SUBJECT MATTER 

VI GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 
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VU ARGUMENT 

Vm CLAIMS APPENDIX 

IX EVIDENCE APPENDIX 

X RELATED PROCEEDING APPENDIX 

The final page of this brief bears the practitioner's signature. 
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I REAL PARTY IN INTEREST (37 C.F.R. § 41.37(c)(l)(i)) 
The real party in interest in this appeal is McAfee, Inc. 
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CENTRAL FAX CENTi« 

DEC1 5 W 

n RELATED APPEALS AND INTERFERENCES (37 C.r.R. § 4137(c) (l)(iO) 

With respect to other prior or pending appeals, interferences, or related judicial proceedings that 
will directly affect, or be directly affected by, or have a bearing on the Board's decision in the 
pending appeal, there are no other such appeals, interferences, or related judicial proceedings. 

A Related Proceedings Appendix is appended hereto. 
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CE^rTRALFAxcE^n^ft 



m STATUS OF CLAIMS (37 C.F.IL § 41.37(c) (l)(ui)) DEC 1 5 2M 



A. TOTAL NUMBER OF CLAXMS IN APPLICATION 
Claims in the application are: 1-2, 4, 6-17, 19, 21, 24, 26, 28-32 



B. STATUS OF ALL THE CLAIMS IN APPLICATION 



1 . Claims vvifhdrawn from consideration: None 

2. Claims pending: 1-2, 4, 6-17, 19, 21, 24, 26, 28-32 

3. Claims allowed: None 

4. Claims rejected: 1-2, 4, 6-17, 1 9, 21 , 24, 26, 28-32 

5. Claims canceUed: 3, 5, 1 8, 20, 22, 23, 25, 27, 33-43 



C. CLAIMS ON APPEAL 



The claims on appeal are: 1-2, 4, 6-17, 19, 21, 24, 26, 28-32 



See additional status information in the Appendix of Claims. 
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IV STATUS OF AMENDMENTS (37 CF JL § 41^7(c)(l)(iv)) 

As to the status of any amendment filed subsequent to final rejection, an amendment was filed 
after a final rejection on 03/3 1/2006 and such amendment was entered as noted in the Advisory 
action mailed 04/24/2006. 
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DEC I 5 2006 

V SUMMARY OF CLAIMED SUBJECT MATTER (37 C.F.H, § 41.37(c)(l)(v)) 

With respect to a summary of Claitn 1. as shown in Figures lA-lB, a computerized method is ~ 
provided for automaticaUy configuring a firewall (e.g. see item 103 of Figure lA, etc.) operating 
within an individual computer (e.g. see item 101 of Figure 1 A, etc.). In use, a zone is determined 
for a network address dynamically assigned to a network adapter (e.g. see item 105 of Figure 1 A, 
etc.) in the individual computer and a security policy (e.g. see items 109 and 117 of Figures lA 
and IB respectively, etc.) for the zone is associated with the network adapter, where the security 
policy specifies the firewall configuration to protect the individual computer. 

The security policy is defined by a policy file which includes a policy file data structure stored as 
an XML (extensible markup language) document. A security policy section of the policy file 
data structure includes an entry for each security policy that is identified by a policy identifier 
field and is associated with a network protocol that is identified by a protocol identifier field. In 
addition, the security policy section specifies filters for at least a porUon of ports and services 
defmed by the network protocol, and each port and service associated with the security policy is 
identified by an element identifier field, a field containing filter settings, and a log indicator field. 

At least one security policy is included for a TCP/IP network and includes a PPTP (point-to- 
point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service. Further, a default setting for a high 
security policy on the TCP/IP network disaUows incoming network traffic through the PPTP and 
ICMP ports. The default setting also allows incoming network traffic through the Rff, DHCP, 
ARP and VPN potts, disallows access through the NetBIOS service to shared resources on the 
individual computer, and disallows the individual computer firam using shared resources of other 
computers on the TCP/IP network, where incoming network traffic that attempts to access the 
individual computer using PPTP and NetBIOS is logged. 
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A zone section of the policy file data structure includes an entry for each defined address zone 
and includes an identifier field, an address parameters field that defines the zone, and an 
identifier field for the security policy assigned to the zone. A default zone is defined by 
addresses that are outside another zone. 

The determining and associating is performed when the network address for the network adapter 
changes. The security policy associated with the network protocol is specific to the network 
protocol. Additionally, the zone is defined by a set of network addresses, which comprises at 
least one address outside the zone. 

The network address dynamically a5signed to the network adapter is determined by at least one 
of mapping an adapter registry identifier to an associated network address stored in an operating 
system registry, monitoring network traffic at the network adapter and exanuning a predefined 
limited amount of the network traffic to determine the network address, and receiving a network 
address firom a network adapter device driver when the network adapter connects to the TCP/IP 
network. See, for example, page 3, line 19-page 4, line 15 et al. 

With respect to a summary of Claim 11, as shown in Figures lA-lB, a computer-readable 
medium having computer-executable instructions is provided to automatically configure a 
firewall (e,g. see item 103 of Figure lA, etc.) operating within an individual computer (e.g. see 
item 101 of Figure lA, etc.). hi use, a zone is determined for a network address dynamically 
assigned to a network adapter (e.g. see item 105 of Figure lA, etc.) in the individual computer, 
and the zone is defined based on a set of network addresses, including at least one address 
outside the zone. In addition, a security policy for the zone is associated with the network 
adapter, where the security policy specifies the firewall configuration to protect the individual 
computer. 

The security policy (e.g. see items 109 and 117 in Figures lA and IB respectively, etc.) is 
defined by a policy file which includes a policy file data structure stored as an XML (extensible 
markup language) document. A security policy section of the policy file data structure includes 
an entry for each security policy that is identified by a poticy identifier field and is associated 
with a network protocol that is identified by a protocol identifier field. 
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Further, the security policy section specifies filters for at least a portion of ports and services 
defined by the network protocol, and each port and service associated with the security policy is 
identified by an element identifier field, a field containing filter settings, and a log indicator field. 
At least one security policy is included for a TCP/IP network and includes a PPTP (point-to- 
point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
conjfiguration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service. 

Still yet, a default setting for a high security policy on the TCP/IP network disallows incoming 
network traffic through the PPTP and ICMP ports. The default setting also allows incoming 
network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the 
NetBIOS service to shared resources on the individual computer, and disallows the individual 
computer from usuxg shared resources of other computers on the TCP/IP networic, where 
incoming network traffic that attempts to access the individual computer using PPTP and 
NetBIOS is logged, 

A zone section of the policy file data structure includes an entry for each defined address zone 
and includes an identifier field, an address parameters field that defines the zone, and an 
identifier field for the security policy assigned to the zone. A default zone is defined by 
addresses that are outside another zone. Moreover, the determining and associating is performed 
when the networic address for the network adapter changes. The security policy associated with 
the network protocol is specific to the network protocol. 

The network address dynamically assigned to the network adapter is determined by at least one 
of mapping an adapter registry identifier to an associated network address stored in an operating 
system registry, monitoring network trafSc at the network ad^)ter and examining a predefined 
limited amount of the network traffic to determine the network address, and receiving a network 
address from a network adapter device driver when the network adapter connects to the TCP/IP 
network. See, for example^ page 3, line 19-page 4, line 15 et al. 
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With respect to a summary of Claim 21, as shown in Figures 1A,1B and 4B, a computerized 
system is provided that includes a processing unit (e.g, see item 55 of Figure 4B, etc), a memory 
(e.g. see item 59 of Figure 4B, etc.) coupled to the processing unit through a bus (e.g. see item 57 
of Figure 4B, etc), and a network adapter (e.g, see item 105 of Figure lA, etc) coupled to the 
processing unit through the bus and further operable for coupling to a network (e.g. see items 
111 and U 3 in Figures 1 A and IB, respectively, etc.). 

In addition, a firewall process (e.g. see item 103 of Figure 1 A, etc.) is executed from the memory 
by the processing unit to protect the computerized system when the network adapter is coupled 
to a network by causing the processing unit to filter data addressed to the network adapter 
according to a security policy (e.g. see items 109 and 117 of Figures lA-lB, respectively, etc.). 
Further, a firewall configuration process is executed from the memory by the processing unit to 
cause the processing unit to determine a zone for a network address dynamically assigned to the 
network adapter and to associate a firewall security policy for the zone with the network adapter* 

The security policy is defined by a policy file which includes a policy file data, structure stored as 
an XML (extensible markup language) document. A security policy section of the policy file 
data structure includes an entry for each secxjrity policy that is identified by a policy identifier 
field and is associated with a network protocol that is identified by a protocol identifier field. 
The security policy section specifies filters for at least a portion of ports and services defined by 
the network protocol, and each port and service associated with the security policy is identified 
by an element identifier field, a field containing filter settings, and a log indicator field. 

At least one security policy is included for a TCP/IP network and includes a PPTP (point-to- 
point tunneling protocol)^ a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service- 
Additionally, a default setting for a high security policy on the TCP/IP network disallows 
incoming network traffic through the PPTP and ICMP ports, This default setting also allows 
incoming network trafi&c through the RIP, DHCP, ARP and VPN ports, disallows access through 
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the NetBIOS service to shared resources on the individual computer, and disallows the individual 
computer from using shared resources of other computers on the TCP/IP networic, where 
incoming network traffic that attempts to access the individual computer using PPTP and 
NetBIOS is logged. A zone section of the policy file data structure includes an entry for each 
defined address zone and includes an identifier field, an address parameters field that defines the 
zone, and an identifier field for the security policy assigned to the zone. A default zone is 
defined by addresses that are outside another zone. 

Still yet, tfie firevsrall configuration process is executed by the processing unit when the network 
address for the networic adapter changes. The security policy associated with the network 
protocol is specific to the network protocol. The firewall configuration process fiirther causes 
the processing unit to define the zone based on a set of network addresses comprising at least one 
address outside the zone. 

The network address dynamically assigned to the network ad^r is determined by at least one 
of mapping an adapter registry identifier to an associated network address stored in an operating 
system registry, monitoring network traffic at the network adapter and examining a predefined 
limited amount of tlie network traffic to determine the network address, and receiving a networic 
address fi-om a network adapter device driver when the network adapter connects to the TCP/IP 
network. See, for example, page 3, line 19-page 4, line 15 et al. 
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VI GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL (37 C J.R. § 
4137(c)(l)(vi)) 

Following, under each issue listed, is a concise statement setting forth the conesponding pound 
of rejection. 

Issue # 1: The Examiner has rejected Claims 1-2, 4, 6-17, 19, 21. 24, 26, and 28-32 under 35 U.S.C. 
103(a) as being unpatentable over Coss et al. (U.S. Patent No. 6,098,172) in view of Minear et al. 
(U.S. Patent No. 5,983,350). 
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CENTRAL FAX CENTER 

Vn ARGUMENT (37 C.F.R, § 41.37(c)(l)(vii)) q£q ^ 5 2OO6 

The claims of the groups noted below do not stand or fell together. In the present section, 
appellant explains why the claims of each group are believed to be separately patentable. 



Issue # 1 : 



The Examiner has rejected Claims 1-2, 4, 6-17, 19, 21, 24, 26, and 28-32 under 35 U.S.C. 103(a) 
as being unpatentable over Coss et al, (U,S. Patent No, 6,098,172) in view of Minear et al. (U.S. 
Patent No. 5,983,350). 

Group #1: Claim 1-2, 4, 7-9, 14-16, 19, 21, 24, 26, 29, and 31-32 



With respect to the present grouping, the Examiner has relied on the following excerpt from the 
Coss reference to make a prior art showing of appellant's claimed technique 'Svherein the 
security policy section specifies filters for at least a portion of ports and services defined by the 
network protocol, and each port and service associated with the sectJrity policy is identified by an 
element identifier field, a field containing filter settings, and a log indicator field" (see this or 
similar, but not necessarily identical language in each of the independent claims). 



policy to use for a new network session. Each new session must be 
approved by the security policies of the source domain and the 
destination domain (s). For connections going to the Internet, it is 
likely that only a single domain check is performed. The DSE makes the 
domain selection based on the incoming or outgoing network interface, 
as well as on the source or destination network address of each packet. 
Inclusion, in packets/ of source or destination addresses allows for 
multiple users to be supported by a single network interface. The 
incoming or outgoing netvrork interface may be in the form of a network 
interface card (NTC) , e.g., an Intel EtherExpress Pro lOQB card 
available from Intel Corporation. 

FIGS* 5A and 5B illustrate over-all flow for packet processing by a 
firewall which supports multiple domains. Such processing includes 
determining the domains which the packet is to cross, examining the 
applicable rules to ascertain whether the packet may pass, and 
determining whether any special processing is required. In the 
firewall..." (Col. 6, lines 49-67) 
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Appellant respectfully asserts that the Coss reference simply teaches the approval of new 
network sessions by the secimty policies of soxirce and destination domains, as well as packet 
processing by a jSrewall. However, unlike the Coss reference, appellant claims the identification 
of each port and service associated with the security policy ' "hv an elem ent identifier field, a field 
containing filter settings, and a log indicator field, ^^ as claimed (emphasis added). As a result, 
appellant's claims are distinct from the Coss reference. 

In the Advisory Action mailed 04/24/2006, the Examiner argued that the "Service " "Source 
Host," 'TDestination Host," "Audit Session," and ''Action" categories in the chart listed in 
between Cols. 3 and 4 in Coss disclose appellant's claimed technique. Appellant respectfully 
asserts that Coss simply discloses that "[t]he security policies can be represented by sets of 
access rules which are represented in tabular form." However, sets of access rules in the security 
policy fail to disclose a technique "wherein the security policy section specifies filters for at least 
a portion of ports and services defined by the network protocoL and each port and service 
associated with the security policy is identified bv an element identifier field, a field containing 
filter settings, and a log indicator field ." as claimed by appellant (emphasis added). Moreover, 
appellant respcctfiiUy asserts that the "Action" category field vrith the description of '[r]ule 
action, e.g,> "pass " "drop" or "proxy",' as argued by the Examiner, simply foils to disclose "a 
field containing fitter settings," as claimed by appellant. 

Further, with respect to the present grouping, the Examiner has relied on the following excerpt 
fixjm the Minear reference to make a prior art showing of appellant's claimed technique "wherein 
a security policy section of the policy file data structure includes an entry for each security policy 
that is identified by a policy identifier field and is associated with a network protocol that is 
identified by a protocol identifier field" (see this or similar, but not necessarily identical 
language in each of the independent claims). 

'^a. A firewall, comprising: 

a first coTTTEtixmications interface; 

a second communications interface; 

a first network protocol stack connected to the first conmrunications 
interface, wherein the first network protocol stack includes an 
Internet Protocol (IP) layer and a transport layer; 
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a second network protocol stack connected to the second communications 
interface, wherein the second network protocol stack incliadea an 
Internet Protocol (IP) layer and a transport layer; 

a security policy; 

a decryption procedure, operating at the IP layer of the first network 
protocol stack, the decryption procedure receiving encrypted messages 
received by said first communications interface and outputting 
decrypted messages; and 

an application layer proxy, connected to the transport layers of said 
first and second network protocol stacks, wherein the application layer 
proxy includes a plurality of authentication protocols, wherein each 
authentication protocol provides a different level of security, wherein 
the application layer proxy receives decrypted messages from the 
decryption procedure, selects an authentication protocol from the 
plurality of authentication protocols based on the content of the 
decrypted message, and executes the selected authentication protocol 
and wherein the application layer proxy determines based on the 
security policy whether the message is to be forwarded, and wherein the 
message is returned to the IP layer if the message is to be forwarded; 

a third communications interface; and 

a third network protocol stack connected to the third coimmini cat ions 
interface and to the application layer proxy, wherein the third network 
protocol stack includes an Internet Protocol (IP) layer and a transport 
layer and wherein the second and third network protocol stacks are 
restricted to first and second burbs, respectively." (Claim S) 

Appellant respectfully asserts that the above excerpt ftom the Nfinear reference merely teaches 
an application layer proxy that includes a plurality of authentication protocols. Appellant, on the 
other hand, claims "a security policy section of the policy file data structure [that] includes an 
^try for each security policy that is identified bv a policy identifier field and is associated with a 
network protocol that is identified bv a protocol identifier field, " as claimed (emphasis added). 
Since no mention is made in the above excerpt from Mijiear regarding the use of any identifier 
fields, let alone those specifically claimed by appellant, such claims are clearly distinct, 



Additionally, the Examiner has not even specifically addressed appellant^s claimed techniques 
'Svherein at least one security policy is included for a TCP/IP network and includes a PPTP 
(point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service;" *Svherein a zone section of the policy file 



PAGE 2e ' RCVD AT 1211512006 8:26:31 PM [Eastern Standard rone] ' SVR:^ 



DEC. 15. 2006 5:42PM ZILKA-KOTAB, PC 



NO. 5125 P. 21 



-16- 

data structure includes an entry for each defined address zone and includes an identifier field, an 
address parameters field that defines the zone, and an identifier field for the security policy 
assigned to the zone;" 'S^iierein a default zone is defined by addresses that are outside another 
zone;" and '^wherein the security policy associated with the network protocol is specific to the 
network protocol." After carefiil review of both the Minear and Coss references, appellant notes 
that the above language claimed by appellant is clearly not even suggested by the prior art of 
record. 

In the Advisory Action mailed 04/24/2006, the Examiner argued 'that no limit is placed by either 
art as to v^3i types of protocols can be handled within the firewall designs" and that "claim 8 of 
Minear* s design demonstrates how multiple protocols are applicable to the design." However, 
appellant respectfidly asserts that each **network protocol stack [is] connected to [a] 
communications interface," as disclosed by Minear in claim 8, simply fails to teach a technique 
''wherem at least one security policy is mcluded for a TCP/IP network and includes a PPTP 
(point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), anARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service. " as claimed by appellant (emphasis 
added). 

Furthermore, with respect to the present grouping, the Examiner has simply dismissed, under 
Official Notice, appellant's claimed technique "wherem the security policy is defined by a policy 
file which includes a policy file data structure stored as an XML (extensible markup language) 
document" and "wherein a default setting for a high security policy on the TCP/IP network 
disallows incoming network traflSc through the PPTP and ICMP ports, allows incoming network 
traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS 
service to shared resources on the individual computer, and disallows the individual computer 
from using shared resources of other computers on the TCP/IP network, where incoming 
network traffic that attempts to access the individual computer using PPTP and NetBIOS is 
logged" 
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Appellant notes upon careful itxspection of the prior art that neither the Coss nor the Minear 
Inferences mentions the storage of a policy file data structure, much less a policy file data 
structure stored as an XML document, in the manner claimed by appellant Additionally, 
appellant respectfully asserts that neither the Coss nor Minear references teach any sort of 
"default setting for a high security policy " and especially not in the foregoing detailed context 
claimed by appellant Appellant thus formally requests a specific showing of the subject matter 
in ALL of the claims in any fixture action. Note excerpt from MPEP below. 

^If the applicant traverses such an [Official Notice] assertion the 
exaininer should cite a reference in support of his or her position." 
see MPEP 2144,03. 

In the Advisory Action mailed 04/24/2006, the Examiner, in a blanket manner, citied Greschlex 
et al. (U.S, Patent No. 6,938,096) to meet appellant's claimed "defeult setting for a high security 
policy." Appellant has reviewed the entire Gieschler reference and respectfully asserts that 
Greschler fails to disclose a specific technique "wherein a defiiult setting for a high security 
policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP 
ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows 
access through the NetBIOS service to shared resources on the individual computer, and 
disallows the individual computer from using shared resources of other computers on the TCP/IP 
network, where incotaing network traffic that attempts to access the individual computer using 
PPTP and NelfilOS is logged," as claimed by appellant. 

Moreover, appellant notes that the Examiner fails to cite specific motivation in the above 
references to support the case for combining the Greschler reference. The Examiner is reminded 
that the Federal Circuit requires that there must be some logical reason apparent from the 
evidence of record that would justify the combination or modification of references. In re Regel 
188 USPQ 132 (CCFA 1975). Thus, without specific motivation, appellant respectfully asserts 
that reliance on such reference is inappropriate. 

In the Advisory Action mailed 04/24/2006, the Examiner, agaiix, in a blanket manner, citied 
Stiles et al (U.S. Patent No. 6,842,737), Virgm et al. (U.S. Patent No. 6,826,542), and MacPhail 
(U.S. Patent No, 6,593,943) to meet appellant's claim language. Appellant has carefully 
considered the references relied upon by the Examiner, and respectfully asserts that they merely 
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teach usage of XML doc\raieiits. The references simply fidl to disclose a technique "wherein the 
security policy is defined bv a nolicv filft which includes a policy file data structure stored a< »n 
XML (extensible markup laneruage'> docHment " as claimed by appellant (emphasis added). 

In addition, appellant again notes that ±e Examiner fails to cite specific motivation in the above 
references to s\q)port the case for combining the Stiles, Vkgin and MacPhail references. The 
Examiner is again reminded that the Federal Circuit requires that there must be some logical 
reason apparent from the evidence of record that would justify the combination or modification 
of references. In re Regel, 188 USPQ 132 (CCPA 1975). Thus, without specific motivation, 
appellant respectfully asserts that reliance on such references is inappropriate. 

AdditionaUy, with respect to the present grouping, the Examiner has relied on the following 
excerpt from the Coss reference, along with Claim 8 from the Minear reference (reproduced 
above), to malce a prior art showing of appellant's claimed technique "vviierein the zone is 
defined by a set of network addresses, which comprises at least one address outside the zone" 
(see the same or similar, but not necessarily identical language in at least some of the 
aforementioned independent). 



"701! the domain table is searched for a match of the interface name; 

702 : if a matching table entry is found, and if the IP address range is 
present in the matching table entry, the packet address is checked as 
to whether it is within the range; if so, the specified domain ie 
selected; otherwise, the search continues with the next table entry" 
(Col. 7, lines 61-67) ^' 

Appellant respectfully asserts that the Coss reference simply teaches a technique for searching a 
domain table for an interface name match and the comparison of a packet address to an ff 
address range. Further, the Minear reference teaches an application layer proxy that includes a 
pluraUty of authentication protocols. Nowhere in either of the references, however, is "[a] set of 
network addresses comprisringi at least one address outside the Tx^ne- mentioned, as claimed by 
appellant (emphasis added). 

In the Advisory Action mailed 04/24/2006, the Examiner argued that Fig. 5A in Coss "indicated 
the comparison of address versus a table" and that Fig. 7 m Coss "indicates how the address 
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range is considered and an appropriate response is performed based on the address range." 
Specifically, Fig. 5 indicates a yes/no branch if the ^'domain [is] in [the] table" and Fig. 7 
indicates a yes/no branch if the "packet address [is] within range." AppeUant respectfully asserts 
that the branches indicated in the referenced figures clear fails to disclose "wherein the zone is 
defined by a set of network addresses, which com prises at l ea^tt one address outside the zone," as 
claimed by appellant (emphasis added). 

Also, with respect to the present grouping, the Examiner has relied on the following exceipt from 
the Coss reference, along with Claim 8 from the Minear reference (reproduced above), to make a 
prior art showing of appellant's claimed technique *Svhcrein the network address dynamically 
assigned to the network adapter is determined by at least one of: mapping an adapter registry 
identifier to an associated network address stored in an operating system registry; monitoring 
network traffic at the network adapter and examining a predefined limited amount of the network 
traffic to determine the network address; and receiving a network address from a network adapter 
device driver when the network adapter connects to Ae TCP/IP network." 

example, specific source and destination port numbers. They can be 
loaded at any time by trusted parties, e.g,, a trusted application, 
remote proxy or firewall administrator, to authorize specific network 
seaeions. A dynamic rule can be set for..." (Col. 9, lines 6-9) 

Appellant respectfully asserts that the Coss reference simply teaches the loadmg of dynamic 
rules and that the Minear reference merely teaches an application layer proxy that includes a 
plurality of authentication protocols. Appellant, on the other hand, claims the HfttftrmirtatinTi nf 
the network address dynamically assigned to the network adapter "by [at least one of] mappjns 
an adapter registry identifier to an associated network address stored in an otjerating system 
registry: monitoring network traffic at the network adapter and examin ing a predelBned limited 
amount of the network traffic to determine the network address : and receiving a network address 
from a network adapter device driver when the network adapter con nects to the TCP/IP 
network ," as claimed (emphasis added). The prior art makes no mention of the determination of 
a network address, much less in the specific contejct claimed by appellant. 

In the Advisory Action mailed 04/24/2006, the Examiner, in a blanket manner, relied upon 
NETBIOS RFC 1001, MANET RFC 2501, and DHCP RFC 2131 to make a prior art sho^v^ng of 
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appellant's claimed technique. Appellant respectMy points out that, specificaUy, page 10 of the 
NETBIOS RFC 1 001 merely discloses that ''NetBIOS resources are referenced by name" and 
that "an application, representing a resource, registers one or more names that it wishes to use." 
However, referencing a resource by name simply fails to disclose a technique "wherein Ae 
network addrcRS dynamicaUy assigned to the netwodc adapter is determined hv . . . mapping an 
adapter registry identifier to an associated n etwork nMre-is stored in an operating system 
regisfry," as claimed by appellant (emphasis added). 

In addition, pages 4 and 5 of the MANET RFC 2501 simply disclose that '[t]he concept of a 
"node identifier" (separate and apart from the concept of an "interface identifier") is crucial to 
supporting the muhigraph topology of the routing fabric' MANET continues to disclose that 
this node identifier "is what *umfies* a set of wireless interfaces and identifies them as 
belonging to the same mobile platform [which] permits maximum flexibility in address 
assignment." However, the node identifiers as disclosed in MANET simply fails to even suggest 
the technique "Vherein the network addre ss dynamiKally to the network adapter is 

determined by . . . monitoring network traffic at. t h e network aHap ter and exaniininfx a pr^v^^fit,.^ 
limited amount of the network trafR c to determine the network address," as claimed by appellant 
(emphasis added). 

Furthermore, pages 12 and 15 of DHCP RFC 213 1 simply teach that «[t]he cUent broadcasts a 
DHCPDISCOVER message on its local physical subnet" and "{t]he server selected in the 
DHCPREQUEST message commits the binding for the client to persistent storage and responds 
with a DHCPACK message containing the configuration parameters for the requesting client." 
However, this client request and server response fail to disclose a technique "wherein the 
network address dynamically assigned to the network adapter is determined by. . .receiving a 
network address from a network adapter de vice driver when the network adapter connects to the 
TCP/IP network," as claimed by appellant (emphasis added). 

Moreover, appeUant notes that the Examiner fails to cite specific motivation in Ihe above 
references to support the case for combining the NETBIOS RFC 1001, the MANET RFC 2501 
and the DHCP RFC 2131 references. The Examiner is reminded that the Federal Circuit requires 
that there must be some logical reason apparent from the evidence of record that would justify 
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the combination or modification of references. In re Kegel 188 USPQ 132 (CCPA 1975). Thus, 
without specific motivation, appellant respectfiilly asserts that reliance on such references is 
inappropriate. 

To establish a prima facie case of obviousness, thiee basic criteria must be met. First, there must 
be some suggestion or motivation, either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art, to modify the reference or to combine 
reference teachings. Second, there must be a reasonable expectation of success. Finally, the prior 
art reference (or references when combined) must teach or suggest all the claim limitations. The 
teaching or suggestion to make the claimed combination and the reasonable expectation of 
success must both be foimd in the prior art and not based on appellant's disclosure. In re 
Vaeck947 F.2d 488, 20 USPQ2d 1438 (Fed.Cir.1991). 

Appellant respectfully asserts that at least the first and third elements of the prima facie case of 
obviousness have not been met, as noted above 

Groip #2; Claims 6, 13 and 28 

With respect to the current grouping, the Examiner has relied on the following excerpt from the 
Coss reference to make a prior art showing of appellant's claimed "assigning the security policy 
to the zone." 

**In the firewall, a decision module or engine, here called a Momain 
support engine' (DSE) determines which security policy to use for a new 
network session. Each new session must be approved by the security 
policies of the source domain and the destination domain (s) . For 
connections going to the Internet, it is likely that only a single 
domain check is performed- The DSE makes the domain selection based on 
the incoming or outgoing network interface, as well as on the source or 
destination network address of each packet, inclusion, in packets, of 
source or destination addresses allows for multiple users to be 
supported by a single network interface. The incoming or outgoing 
network interface may be in the form of a network interface card (NIC) , 
e.g., an Intel EtherExprees Pro lOOB card available from Intel 
Corporation." (Cgl. 6, lines 48-61) 

Specifically, the Examiner stated that the above citation "allows for the policies to be applied to 
zones." However, appellaitt respectfully disagrees with such argument and points out that the 
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cited reference merely discloses "deteimiii[iiig] ^vhicix security policy to use for a new network 
session" and ihat "[ejach new session must be approved by the security policies of the source 
domain and the destination domain(s)," Appellant respectfuUy asserts that the determination of a 
security policy for a new network session and the approval of a new session by security policies 
are quite different from " assigning the security policy to the zone. ^ as claimed by appellant 
(emphasis added). 

Again, appellant respectfully asserts that at least the first and third elements of the prima facie 
case of obviousness have not been met, as noted above. 

Group #3: Claims 10, 17 and 30 

With respect to the present grouping, the Examiner has relied on Col. 9, lines 6-9 of the Coss 
reference (shown above) to make a prior art showing of appellant's claimed *'receiving data ftom 
a predetermined location on the network through the network adapter; and creating the policy file 
ftom the data." SpecificaUy, the Exanxiner argues that this reference citation "allows for the 
downloading of policies.*^ 

Appellant respectfully asserts that the Coss reference merely teaches the loading of dynamic 
rules "at any time by misted parties, e.g., a trusted appUcation, remote proxy or firewall 
administrator, to authorize specific network sessions," Clearly, loading dynamic rules does not 
even suggest " receiving data from a predetermined location on the network through the network 
adapter; and creating the policy file &om the data. "^ as claimed by the appellant (emphasis 
added). 

Again, appellant respectfiilly asserts that at least the first and third elements of the prima facie 
case of obviousness have not been met, as noted above. 

In view of the remarks set forth hcreinabovej all of the independent claims are deemed 
allowable, along with any claims dependiag there&om. 
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CENTRAL FAX CENTER 

vm CLAIMS APPE^a)Ix (3? cfjr. § 4i37(c)(i)(viii)) DEC 1 5 2006 

The text of the claims involved in the appeal (along with associated status information) is set 
forth below; 

1 . (Previously Presented) A computerized mefliod for automaticaUy configuring a firewall operating 
within an individiial computer comprising: 

determining a zone for a network address dynamically assigned to a network adapter in the 
individual computer; and 

associaling a security policy for the zone with the network adapter, the security policy 
specifying the firewaU configuration to protect the individual computer; 

wherein the security policy is defined by a policy file which includes a policy file data 
structure stored as an XML (extensible markup language) document; 

wherein a security poHcy section of the policy file data structure includes an entry for each 
security poUcy that is identified by a poUcy identifier field and is associated with a network protocol 
that is identified by a protocol identifier field; 

wherein the security policy section specifies filters for at least a portion of ports and services 
defined by the network protocol, and each port and service associated with the security policy is 
identified by an element identifier field, a field containing filter settinp, and a log indicator field; 

wherein at least one security poUoy is included for a TCP/IP network and includes a PPTP 
(point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service; 

wherein a default setting for a high security policy on the TCP/IP network disallows 
incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic 
through die RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to 
shared resources on the individual computer, and disallows die individual computer from using 
shared resources of other computers on the TCP/IP network, where incoming network traffic that 
attempts to access the individual computer using PPTP and NetBIOS is logged; 
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wherein a zone section of the policy file data structure includes an entry for each defined 
address zone and includes an identifier field, an address parameters field that defines the zone, and 
an identifier field for the security policy assigned to the zone; 

wherein a default zone is defined by addresses that are outside another zone; 

wherein the determining and associating is performed when the network address for the 
network adapter changes; 

wherein the security policy associated with the network protocol is specific to the network 

protocol; 

wherein the zone is defined by a set of network addresses, which comprises at least one 
address outside the zone; 

wherein the network address dynamically assigned to the network adapter is determined by at 

least one of: 

mapping an adapter registry identifier to an associated network address stored in an 
operating system registry; 

monitoring network traffic at the network adapter and examining a predefined limited 
amoimt of the networic traffic to determine the network address; and 

receiving a network address from a network adapter device driver when the network 
adapter connects to the TCP/EP network, 

2. (Original) The computerized method of claim 1 further comprising; 

determining the network address assigned to the network adapter. 

3. (Cancelled) 

4. (Previously Presented) The computerized method of claim 1, wherein the set of network addresses 
comprises at least one address within the zone. 

5. (Cancelled) 

6. (Original) The computerized method of claim 1 farther comprising: 

assigning the security policy to the zone. 
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7. (Previously Presented) The computerized method of claim I further comprising: 

retrieving the policy file that contains definitions for the zone and the security policy and 
specifies that the security policy is assigned to the zone. 

8. (Original) The computerized method of claim 7 further comprising: 

creating the policy file fi*om data input by a user. 

9. (Original) The computerized method of claim 7 further comprising; 

creating the policy file firom data input by an administrator. 

10. (Previously Presented) The computerized method of claim 7 further comprising: 

receiving data firom a predetermined location on the network through the network adapter; 

and 

creating the policy file firom the data. 

11. (Previously Presented) A computer-readable medimn having computer-executable instructions to 
automatically configure a firewall operatir^ within an individual computer comprising: 

determining a zone for a network address assigned dynamically to a network adapter in the 
individual computer; 

defining the zone based on a set of network addresses including at least one address outside 
the zone; and 

associating a security policy for the zone with the network adapter, the security policy 
specifying the firewall configuration to protect the individxial computer; 

wheiein the security policy is defined by a policy file which includes a policy file data 
structure stored as an XML (extensible markup language) docimient; 

wherein a security policy section of the policy file data structure includes an entry for each 
security policy that is identified by a policy identifier field and is associated with a network protocol 
that is identified by a protocol identifier field; 

wherein the security policy section specifies filters for at least a portion of ports and services 
defined by the network protocol, and each port and service associated with the security policy is 
identified by an element identifier field, a field containing filter settings, and a log indicator field; 
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wherein at least one security policy is included for a TCP/IP network and includes a PPTP 
(point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service; 

wherein a default setting for a high security policy on the TCP/IP network disallows 
incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic 
through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to 
shared resources on the individual computer, and disallows the individual computer firom using 
shared resources of other computers on the TCP/IP network, where incoming network traffic that 
attempts to access the iixdividual computer using PPTP and NetBIOS is logged; 

wherein a zone section of the policy file data structure includes an entry for each defmed 
address zone and includes an identifier field, an address parameters field that defines the zone, atid 
an identifier field for the security policy assigned to the zone; 

wherein a default zone is defined by addresses that are outside another zone; 

wherein the determining and associating is performed when the network address for the 
network adapter changes; 

wherein the security policy associated with the network protocol is specific to the network 
protocol; 

wherein the network address dynamically assigned to the networic adapter is determined by at 
least one of: 

mapping an adapter registry identifier to an associated network address stored in an 
operating system registry; 

monitoring network traffic at the network adapter and examining a predefined limited 
amount of the network traffic to detennine the network address; and 

receiving a network address from a network adapter device driver when the network 
adapter connects to the TCP/IP network. 

12. (Original) The computer-readable medium of claim 1 1 having fiulher computer-readable 
instructions comprising; 

determining the network address assigned to the network adapter. 
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13. (Original) The computer-readable medium of claim 1 1 having further computer-readable 
instructions comprising: 

assigning the security policy to Ihe zone. 

14. (Previously Presented) The computer-readable medium of claim 1 1 having fiirther computer- 
readable instructiojis comprising: 

retrieving the policy file that contains definitions for the zone and the security policy and 
specifies that the sectirity policy is assigned to the zone. 

15. (Original) The computer-readable medium of claim 14 having further computer-readable 
instructions comprising: 

creating the policy file from data input by a user. 

16. (Original) The computer-readable medium of claim 14 having fiirther computer-readable 
instructions comprising: 

creating the policy file fi"om data input by an administrator. 

17. (Previously Presented) The computer-readable medium of claim 14 having further computer- 
readable instructions comprising: 

receiving data from a predetermined location on the network through the network adapter; 

and 

creating the policy file from the data. 

18. (Cancelled) 

19. (Previously Presented) The computer-readable medium of claim 1 1 having further comptrter- 
readable instructions comprising: 

including at least one address within the zone in the set of network addresses. 

20. (Cancelled) 

21. (Previously Presented) A computerized system comprising: 
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a processing unit; 

a memory coupled to the processing unit through a bus; 

a network adapter coupled to the processing unit through the bus and further operable for 
coupling to a network; 

a firewall process executed from the memory by the processing unit to protect the 
computerized system when the network adapter is coupled to a network by causing the processing 
unit to filter data addressed to the network adapter according to a security policy; and 

a firewall configuration process executed from the memory by the processing unit to cause 
the processing unit to determine a zone for a network address dynamically assigned to the network 
adapter and to associate a firewall security policy for the zone with the network adapter; 

wherein the security policy is defined by a policy file which includes a poUcy file data 
structure stored as an XML (extensible markup langxiage) document; 

wherein a security policy section of the policy file data structure includes an entry for each 
security policy that is identified by a policy identifier field and is associated with a network protocol 
that is identified by a protocol identifier field; 

wherein the secxirity policy section specifies filters for at least a portion of ports and services 
defined by the network protocol, and each port and service associated vrith the security policy is 
identified by an element identifier field, a field containing filter settuigs, and a log indicator field; , 

wherein at least one security policy is included for a TCP/IP network and includes a PFTP 
(point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host 
configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), 
ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a 
NetBIOS (network basic input/output system) service; 

wherein a default setting for a high security policy on the TCP/IP network disallows 
incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic 
through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to 
shared resources on the individual computer, and disallows the individual computer fi:om xising 
shared resources of other computers on the TCP/IP network, where incoming network traffic that 
attempts to access the individual computer using PPTP and NetBIOS is logged; 

wherein a zone section of the policy file data structure includes an entry for each defined 
address zone and includes an identifier field, an address parameters field that defines the zone, and 
an identifier field for the security policy assigned to the zone; 
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wherein a defaxUt zone is defined by addresses that are outside another zone; 

wherein the firewall configuration process is executed by the processing unit when the 
network address for the network adapter changes; 

wherein the security policy associated with the network protocol is specific to the network 
protocol; 

wherein the firewaU configuration process further causes the processing unit to defme the 
zone based on a set of network addresses comprising at least one address outside the zone; 

wherein the network address dynamically assigned to the network adapter is determined by at 
least one of: 

mapping an adapter registry identifier to an associated network address stored in an 
operating system registry; 

monitoring networic traffic at the network adapter and examining a predefined limited 
amount of the network traffic to determine the network address; and 

receiving a network address from a network adapter device driver when the network 
adapter connects to the TCP/IP networic. 

22. (Cancelled) 

23. (Cancelled) 

24. (Original) The computerized system of claim 21 wherein the firewall configuration process 
finther causes the processing unit to determine the network address of the network adapter, 

25. (Cancelled) 

26. (Previously Presented) The computerized system of claim , wherein the set of network addresses 
comprises at least one address within the zone. 

27. (Cancelled) 

28. (Previously Presented) The computerized system of claim 21, wherein the firewall configuration 
process further causes the processing unit to assign the security poHcy to the zone. 
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29. (Previously Presented) Th^ computerized system of claim 21, wherein the firewall configuration 
process fiuther causes the processing unit to retrieve the policy file that contains definitions for the 
zone and the security policy and specifies that the security policy is assigned to the zone. 

30. (Previously Presented) The computerized system of claim 29, v^erein the firewall configuration 
process fiirther causes the processing unit to receive data firom a user and to create the policy file 
fiom the data. 

3 1 . (Previously Presented) The computerized system of claim 29, wherein the firewall configuration 
process fiirther causes the processing unit to receive data fi"om an administrator and to create the 
policy file fi*om the data. 

32. (Previously Presented) The computerized system of claim 29, wherein the firewall configuration 
process fiirther caxjses the processing unit to receive data from a predetermined location on the 
network through the network adapter and to create the policy file from the data. 

33^3. (Cancelled) 
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JX EVTOENCE APPENDIX (37 C.F.R. § 41.37(c)(l)(ix)) 

There is no such evidence. 
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X RELATED PROCEEDING APPENDIX (37 CF-R, § 4137(c)(l)(x)) 

N/A 
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In the event a telephone conversation would expedite the prosecution of this application, the 
Examiner may reach the undersigned at (408) 971-2573. For payment of any additional fees due 
in connection with the filing of this paper, the Commissioner is authorized to charge such fees to 
Deposit Account No. 50-1351 (Order No, NAI1P361/00.166.01). 




Facsimile; (408)971-4660 
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